Cybergeddon – how real is the threat: part one

In 2014, the general public was bemused when North Korea denounced Sony Entertainment for making a film, The Interview, which criticised its leader, Kim Jong-un, in a satirical manner. Bemusement turned to titillation when a hacker group named the ‘Guardians of Peace’ released a torrent of emails hacked from Sony accounts that portrayed a culture of boorish executive attitudes towards actors and directors. Titillation turned to widespread anger and recriminations, however, when the group threatened terrorist attacks upon theatres, causing the cancellation of its theatrical release.

While the Sony cyber attack caused financial and reputational damage, other cyber attacks with far more potentially damaging consequences were underway at approximately the same time. Canada’s National Research Council (NRC) Frequency and Time group uses cesium atomic clocks to accurately determine time to a few millionths of a second per year, and makes the information available to the public through the Network Time Protocol (NTP). Companies, research organisations and government agencies use the NTP to set their computers’ time clocks. The high precision is essential for activities including navigation, electricity measurement and manufacturing.

In 2014, the NRC came under a cyber attack. In a memo, the council outlined that its clock synchronisation service had been hit with two denial of service attacks, in which a server is bombarded with immense nuisance traffic in an effort to overload it. Other NTP services around the world also reported similar incidents. The assaults were, in effect, attempts to widely disrupt commercial, research and government activities. The NRC claimed that at least one of the attacks was instigated by a Chinese agency; Beijing has denied involvement.

According to statistics, cyber attacks are widespread and growing. In 2014, over 3000 corporations in the US alone experienced cyber attacks, including Home Depot, Target and JPMorgan Chase, causing billions of dollars in damage. Many corporations now routinely report cyber attacks as a fact of life; GE, Berkshire Hathaway and ExxonMobil all include cyber security as a risk factor in their annual financial filings.

Hitting home

For the oil and gas sector, some attacks have already caused serious repercussions. In June 2010, centrifuges in Iran’s nuclear development facilities began to malfunction. Over 1000 devices designed to enrich uranium began to behave erratically, literally whirling themselves to bits. Security analysts eventually discovered Stuxnet, an advanced persistent threat (APT) malware in the supervisory control and data acquisition (SCADA) operating system.

Stuxnet left a primer for hackers to emulate. Saudi Aramco, the world’s largest oil company with a production capacity of 9 million bpd of oil and 9.9 billion ft3/d of gas, announced that the Shamoon virus, a variant of Stuxnet, had infected approximately 30 000 office computers. The virus wiped out all files, including master boot records, so that the machines cannot be restarted. “The US Department of Defense called it one of the most sophisticated attacks ever,” said Josh Abraham, Vice President of Services for Praetorian Group, a security consultancy. “It did not do physical damage, but it did considerable harm to an organisation that provides 10% of the global oil supply. There was no telltale programming or path to identify its source.”There are four general characteristics to cyber attacks. The first two are the type of attack; either targeted, or untargeted (where the virus is contracted unintentionally). The second two characteristics are the source of the attack; either internal or external.

Internal attacks

Internal, untargeted attacks can occur due to the accidental connection of a personal device to the system. Plugging a smart phone into a USB plug for recharging can offer malware an opportunity to infiltrate. “Any new technology creates a potential new risk,” said Abraham. “Every corporation needs to be aware of the potential risks, and evaluate and reevaluate both software and the hardware devices.”

Internal targeted attacks are uncommon, approximately 10% of reported cases, but they can be quite serious. Several years ago, when his contract was not renewed, a disgruntled engineer at an Australian water utility familiar with the SCADA system created malware that manipulated valves to discharge wastewater and compromise the water supply.

External attacks

The largest group of attacks is external and untargeted. Typically, a malicious email attachment or website is the source of infection. The virus then replicates, infecting work stations and generally causing work processes to slow or cease.

External, targeted attacks are designed to damage the system of a specific corporation or agency. Hackers can try to get through the firewall, or they can flood a website in order to cause denial of service. There can be many sources of external, targeted attacks, from lone hackers using readily available malware, to highly skilled groups motivated by environmental, political, or monetary reasons (informally referred to as hacktivists).